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Abstract 



It is generally believed that unconditionally secure quantum bit commitment (QBC) is 

O ! 

proven impossible by a "no-go theorem". We point out that the theorem only establishes the 
existence of a cheating unitary transformation in any QBC scheme secure against the receiver, 
but this fact alone is not sumcient to rule out unconditionally secure QBC as a matter of 
principle, because there exists no proof that the cheating unitary transformation is known to 
the cheater in all possible cases. In this work, we show how to circumvent the "no-go theorem" 
' and prové that unconditionally secure QBC is in fact possible. 
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Quantum information and quantum computation is a field of intense activities in recent 
years. The idea of applying quantum mechanics in cryptography was first introduced in 
the late 1960's 0, 0. So far, the most well known and successful applications are found 
in the area of quantum key distribution 0. Other important quantum cryptographic 
protocols include quantum bit commitment (QBC) 01^, quantum oblivious transfer 
0, 0, quantum coin tossing 0,0], and so on. In particular, QBC is a bàsic protocol, or 
primitive, which can be used to construct other more sophisticated protocols. Moreover, 
it has the potential of being the building block of any secure two-party cryptographic 
protocols 
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Hence the security of QBC is an issue of great importance in 
quantum information theory. 

A QBC protocol involves a sender (Alice) and a receiver (Bob). To begin with, Alice 
secretly commits to a bit b (0 or 1) which is to be revealed to Bob at a later time. 
In order to assure Bob that she will not change her mind, Alice gives Bob a quantum 
mechanical wave function which can later be used to verify her honesty (in the 

simplest model). A QBC protocol is secure if (1) Alice cannot change her commitment 
without being discovered (binding), and (2) Bob can obtain no information about the 
commitment before Alice discloses it (concealing) — that means the density matrix p# 
of \^b) m ust be independent of b. An unconditionally secure protocol is one which is 
secure even if Alice and Bob were endowed with unlimited computational power. 

The purpose of this letter is to propose a new QBC scheme and prové its unconditional 
security. Our result contradicts the widely held belief in a "no-go theorem" which claims 



that unconditionally secure QBC is impossible ï^, 
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14 Il5| . The central issue of the 
problem can be explained as follows. Instead of honestly sending t° Bob, Alice can 
always prepare another state \iPab}> in which sectors A and B are entangled, and delivers 
only sector B to Bob. Clearly, as long as 



Pb 



Bob will not know the difference. Furthermore, from the Schmidt decomposition of IV'ab) 

we k: 



and the fact that pg = p% (concealin g), we know there exists an unitary transformation 



Ua acting on sector- A only, such that 
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The fact that Alice can by herself transform \iPab) I^ab) (and vice versa) implies 
that she can cheat with the following sure-win strategy (so-called EPR attack): Alice 
always commits to b = in the beginning, and if she wants to change to b = 1 later on, 
she can simply apply the unitary transformation Ua to her partides before revealing her 
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bit. So in this simple model of QBC, if the scheme is concealing, it cannot be binding 
at the same time. The "no-go theorem" claims that this result is universally vàlid, and 
unconditionally secure QBC is ruled out as a mattcr of principle 



Despite its widespread acceptance, we find that the "no-go theorem" is actually of 
limited validity only. It is true that the theorem proves the existence of a cheating unitary 
transformation Ua in any QBC scheme which is secure against Bob, but this fact alone 
does not rule out unconditionally secure QBC as a matter of principle, unless one could 
also prové that Ua must be known to Alice in all such schemes. The "no-go theorem" 
simply asserts without proof that this is the case. Consequently we see that, as it is, 
the theorem only rules out a restricted class of QBC schemes where, at the end of the 
commitment phase, Alice has detailed knowledge of the wave function in Bob's hand. It 
says nothing about other possibilities. 

In the rest of this letter, we show with a concrete example how to circumvent the "no- 
go theorem" . Before proceeding, let us define the notations to be used and establish two 
preliminary results. First of all, we write the four Bell states in terms of the eigenstates 
(I \z)i I lz)) °f the Pauli matrix a z : 

|0±) = -^(|U*>±IU*>), (3) 

|1±) = -^(|U.>±IU«>)- (4) 

Also, we shall use the notation, 

|*> = {|0i>,|02>; çi,? 2 }, (5) 

where Çj > and q% + q% = 1, to denote a mixed state with density matrix 

= gi|0i)(0i| + ç 2 |02>(0 2 |. (6) 
Let (b = or 1) be an ordered sequence of n pairs of partides with wave function 

\s^ ) ) = \^ ) M ) )..\€ ) ), (7) 

where each ) is a mixed state given by 

\4 b) ) = {\b+)Ab-}; 1/2,1/2}. (8) 
As a short-hand notation, we write 

\S®) = {\b+),\b-); 1/2,1/2}". (9) 
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We label the partides in S$ as 

5^= {(l 1 2 1 ),(l 2 2 2 ),...,(l n 2 n )}, (10) 
where partides with the same subscript belong to the same Bell state. Let 

rS = {u,i 2 ,...,i n }, (ii) 

4? = {2 1 ,2 2 ,...,2 n }, (12) 

so that we can write 

s® = z!8 + 2!8. (is) 

Clearly the density matrix p^ of \S^) is different for b = and 6 = 1: 

pW^pW. (14) 

Therefore, given |<S^), Bob can readily find out the value of b. It is easy to see that \Sj®) 
and \S^) have the same density matrices as 

\Sp) = {\U,)AM,h V2,l/2} n , (15) 

and 

ffi = {|Í.UIU,); 1/2,1/2}", (16) 

respectively. Using these new representations of p^, one can easily prové two preliminary 
results about \S^): 

(I) If the particle order in S$® is randomized, then the only way to distinguish from 

is by measuring the total spin sum S 2 . That is, S z vanishes for b = 0, but not 
necessarily so for b — 1. 

(II) Suppose Bob is forced to measure each particle in along any arbitrary axis in 
the xy-pL·iie, then the resultant sequence will appear to be identical for b = and 1. 

We are now ready to specify our new QBC scheme, which has two crucial features: 
(1) In the commitment phase, Alice encodes the committed bit b in a quantum sequence 
whose density matrix is different for b = and b = 1. (2) Bob is forced to perform certain 
random measurements on the sequence so that the two cases become indistinguishable to 
him. At first sight, it would seem that our scheme is still covered by the "no-go theorem", 
since at the end of the commitment phase, the density matrix of the partides in Bob 
hand is independent of b. However this density matrix depends on Bob's random choices 
unknown to Alice, consequently she cannot cheat. 
(1) Commitment Phase: 
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(la) Let n and m be the security parameters, and N = n + m. Alice decides the value of 
b (0 or 1) and accordingly prepares a sequence of «Sjy , such that 

l4 b) ) = {|H),|6-); 1/2,1/2}". (17) 

Similar to Eq. (flïïjl. we decompose «Sjy into two subsequences, 

?(6) _ r(*>) , r( b ) 



°7V — ~IV1 Zj N2- 



Alice sends to Bob. 



(b) 

LU UUU. 

(6) 



(lb) Bob measures each particle in S^ 2 along an arbitrary axis èj in the xy-plane, and 
reports the outcomes (but not the èj's) to Alice. He then returns the measured partides, 
é^l, to Alice. 

(lc) Alice randomly chooses m partides in for testing, and asks Bob to disclose the 
axes along which he measured them. She can then check if Bob is honest by measuring 
these partides and their entangled partners in Alice terminates the protocol if Bob 
is found cheating. Otherwise she discards the 2m test partides, so that 

— > ^nl j (19) 

^N2 > ^n2i (20) 

and proceeds to the next step. 
(ld) Let 

= 27<? + ÉS- (21) 

Alice randomizes the particle order in , and sends the resultant sequence S*^ to Bob. 
(2) Unveiling Phase: 

(2a) Alice reveals the committed bit b. She also informs Bob how to recover «SW from 
«S* w , and specifies the individual spin states in the commitment sequence (i.e., S 



(b) 
N 



less m pairs of test partides). 

(2b) Bob verifies Alice's honesty by checking the characteristic spin correlation in each 
state in . Incorrect spin correlation in any one of the states signals cheating by Alice. 

Having specified the new QBC scheme, we proceed to prové that it is concealing. 
For simplicity, and without loss of generality, we shall use the representat ions of pW as 
given in Eqs. (fT3l ITB|) . Obviously, if Bob is honest in the commitment phase, then he 
cannot cheat afterward — this is just preliminary result (II) we established earlier. From 
preliminary result (I), the only way Bob can cheat is by finding out the spin sum S z of 
the commitment sequence. Therefore a dishonest Bob would try to measure only the test 
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partides as prescribed by the scheme, and the rest along z. The problem is that he does 
not know which partides Alice will choose for testing. 

Let us first consider Bob's classical cheating strategies: (1) Clearly Bob can cheat if he 
could correctly guess which partides in Alice would choose for testing, however his 
chance of success is only of order 2 _2n for m ~ n. (2) If Bob measures all the partides 
in sj^l along i instead of {èj} in the xy-plane, then his chance of passing Alice's check is 
2~ m . It is not hard to show that other similar strategies also do not work for large n and 
m. 

Next, we examine Bob's quantum cheating strategy. In this case, upon receiving 
from Alice, Bob determines the only spin projections (to be reported to Alice) but leaves 
the corresponding measuring axes {èj} undetermined at the quantum level; he will fix 
the axis information only when requested by Alice. Let \(fi) be the wave function of i-th 
particle in U^l- Through unitary operations, Bob can entangle ancilla partides with \(fi) 
to form 

\M<pt)) = E E \<x$K<*%\<pí) Pi\x k )\n, (22) 

fe=la=t,| 

where {é^} is a set of K randomly chosen unit vectors in the x?/-plane (i.e., è\-z = 0), \aè k ) 
denotes an eigenstate of o -è\ (with spin projection a), {\x k )} an d {|£ a )} are orthonormal 
sets of ancilla states, and finally 

E \Pi\ 2 = L (23) 

k=l 

With \&i((pi)), Bob can measure the ^-ancilla to obtain the spin projection a>i, and sepa- 
rately the x-ancilla to determine the corresponding axis. 
Measuring the ^-ancilla reduces |<£>j(<^j)) to 

l*i(T-M = E \^í)pí \x k ) (24) 



for \ifi) = | | 2 ), and 



K 



\Mï z )^) = j:^\^ k )p k \x k } (25) 

k=l 

for \(fi) = \ iz); where a.i =| or { is the outcome of the measurement, and cos(^) = è\ -x. 
Now if K = 2 and 

{el è l 2 } = {è í ,-è í }, (26) 

where èj is any unit vector satisfying éj ■ z=0, then Eq. (|2~4*j) and Eq. (j25]) become 
respectively 

\MïzH) =p\Wièi)\x l )+PÏWi-èi)\x 2 ), (27) 
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and 

|$i(j*H) = p]\aièi)\x l ) -P 2 i\ai-èi)\x 2 )- (28) 

Notice that these two expressions are in fact general because, no matter what K is, Eq. 
(j2H and Eq. (J23|) can always be rewritten in these forms by Schmidt decomposition. In 
any case, since \(fi) = {| f z ), | | 2 ); |, |}, therefore the combined wave function of the i-th 
particle and the x-ancilla is a 6-independent mixed state given by 

|Í>,(^H> = {^(^H), \$ittz)<Xih 1/2, 1/2}. (29) 
As far as its density matrix is concerned, we can equivalently write 

I^(^)oí) = {l^è^lx 1 ), loi-éiJIx 2 ); \p\\\ \pÏ\ 2 }- (30) 

It is more transparent to refer to this representation in the following discussion, since it 
involves only product states. 

Now, Bob keeps the x- an dllas, an d sends all the other partides (i.e., È^l) to Alice 
for checking [step (lc)]. Since èj • z = 0, Bob is guaranteed to pass Alice's check. Then, 
after discarding the 2m test partides, Alice sends the partides of and Sj^ to Bob 
in random order [see step (ld)]. As explained below, this randomization of the particle 
order conceals the 6-dependent correlations among the partides from Bob. 

From Eqs. (fT^iïïïjl and Eq. JSÜ|), we get 

\Z$) = {\W,\ls)\ 1/2,1/2}", (31) 

n 

l^ } > = II{l«i*>> !«*-*>; \pl\ 2 Ap 2 \ 2 h (32) 
i=i 

which are both independent of b. Therefore \S*^), being a random mixture of the 

and IX 1 ^ )) is independent of b. From Eq. (pïïlj) . we see that the collective wave function 

of the x-ancillas is also a 6-independent mixed state: 

n 

\x) = m\x 1 ),\x 2 ); \pI\ 2 ,\p 2 \ 2 }. (33) 

1=1 

It follows that the density matrix of all the partides in Bob's hand does not depend on 
b, therefore he cannot cheat. From a more intuitive point of view, after the partides of 
E^i and are randomly mixed, it becomes impossible for Bob to extract the total spin 
sum S z of S^i an d ^n2 ■ Then, according to preliminary result (I), he can no longer gain 
any information about the value of b. We thus conclude that this scheme is concealing. 

It remains to be proven that our new scheme is binding. First of all, we note that, 
in the unveiling phase, Alice has to provide Bob with two pieces of classical information 
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about the properties of the partides in his hand: (1) The permutation sequence that takes 
S*^ back to < Sffl , and (2) The quantum states in the original sequence The "no-go 



i_(2 





theorem" [12J, [13|, |14j, |15[ claims that, if Alice leaves these parameters undetermined at 
the quantum level until just before opening her commitment, then she would be able to 
cheat by "EPR attack" . We show below that this strategy does not work in this scheme. 

As we have already shown, whether Bob honestly measured the partides as prescribed 
or adopted a quantum strategy instead, at the end of the commitment of phase, the 
density matrix of the partides in Bob's hand is independent of 6. So there indeed exists 
an unitary transformation Ua which can map the 6 = case into 6=1. However it is 
clear from from Eqs. (|2*T| EBJ) that Ua depends on Bob's random choices, p\ and {èj}. 
Since Alice does not know these parameters, cheating is impossible. The point to note is 
that, as long = 0, our scheme does not further specifies how Bob should choose 

{è;}; hence, at the end of the commitment phase, Alice does not have precise knowledge 
of the wave function in Bob's hand. This concludes the proof that our new QBC scheme 
is unconditionally secure. 

In summary, we have proposed a new QBC scheme which is not covered by the "no-go 
theorem" 0, Q, Q, 0]. The crucial observation we made is that the so-called "no- 
go theorem" only establishes the existence of a cheating unitary transformation Ua in 
any QBC scheme which is concealing, however it has never been proven that Ua must be 
known to Alice in all possible cases. Our scheme provides a concrete example in which Ua 
depends on parameters not known to Alice, so that cheating by EPR attack is impossible. 
We conclude that QBC can be unconditionally secure after all. 
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